Thursday, March 14, 2013

Make service call with client certificate after receiving 401 Unauthorized errors

Scenario:
  • Call a service that requires a client certificate. 
  • The AppPool is set as an independent identity, NetworkService for example.
  • Everything works in the Dev environment with the developer having Administrator privileges, logged on locally, and having the certificate installed in local cert store.
  • The certificates are stored on disk at C:\MyCertificates\ or accessed directly from cert store.
  • The certificate is being applied at runtime successfully in Dev.
Problem:
When installing in new environment and running with the AppPool as NetworkService, the service response is:
The remote server returned an error: (401) Unauthorized.

Here are a few things to keep in mind followed by a brief resolution description and help links:
  • Even if a project is bypassing the cert store and importing the cert directly, the cert still needs to be properly configured in the cert store.
  • The cert needs to be configured in the machine cert store or the personal cert store of the identity making the request.
  • Microsoft WCF client code does not throw an exception with misconfiguration.
  • Explicit checks will display a false positive when a cert is not added due to improperly configured cert store:o    ((HttpWebRequest)request).ClientCertificates.Add(cert);  int certCount = ((HttpWebRequest)request).ClientCertificates.Count; //Count will return 1
   Resolution:
  1. Download and then install the Microsoft Windows HTTP Services Certificate Configuration Tool. To obtain the tool, visit the following Microsoft Web site: http://www.microsoft.com/en-us/download/details.aspx?id=19801
  2. Run the following command at a command prompt:
    winhttpcertcfg -i PFXFile -c LOCAL_MACHINE\My -a IWAM_TESTMACHINE -p PFXPassword
    Note PfxFile is the name of the .pfx file. Password is the password for the .pfx file. If the file does not require a password, omit the -p parameter. Typically, the WinHttpCertCfg.exe file is located in the following folder:  C:\Program Files\Windows Resource Kits\Tools
  3. To grant access for a specific user account, run the following command at a command prompt: WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "IssuedToName" -a "AccountName"
  4. Install the root certificate for the CA, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in, and then click Add.
    3. In the Add Standalone Snap-ins dialog box, click Certificates, click Add, click Computer account, click Next, and then click Finish.
    4. Click Close, and then click OK.
    5. Expand Certificates (Local Computer), right-click Trusted Root Certification Authorities, click All Tasks, and then click Next.
    6. In the Certificate Import Wizard dialog box, click Next, and then in the File name box, type the name of the certificate file or navigate to the .pfx file, then click Next two times.
    7. Click Finish, and then click OK.
f
   Help links:
     http://www.microsoft.com/en-us/download/details.aspx?id=19801
     http://support.microsoft.com/kb/901183?wa=wsignin1.0

Post by - No comments:
Subscribe to: Posts (Atom)